9.7.1-alpha.4

9.7.1-alpha.4 (2026-04-02)

Bug Fixes

• File upload Content-Type override via extension mismatch (GHSA-vr5f-2r24-w5hc) (#10383) (dd7cc41)

8.6.73

8.6.73 (2026-04-02)

Bug Fixes

• File upload Content-Type override via extension mismatch (GHSA-vr5f-2r24-w5hc) (#10384) (0de3e9f)

9.7.1-alpha.3

9.7.1-alpha.3 (2026-04-01)

Bug Fixes

• Session field guard bypass via falsy values for ACL and user fields (#10382) (ead12bd)

9.7.1-alpha.2

9.7.1-alpha.2 (2026-04-01)

Bug Fixes

• Nested batch sub-requests cause unclear error (#10371) (6635096)

8.6.72

8.6.72 (2026-03-31)

Bug Fixes

• Security upgrade @apollo/server from 4.12.1 to 4.13.0 (#10082) (18a1560)

9.7.1-alpha.1

9.7.1-alpha.1 (2026-03-30)

Bug Fixes

• Streaming file download bypasses afterFind file trigger authorization (GHSA-hpm8-9qx6-jvwv) (#10361) (a0b0c69)

9.7.0

9.7.0 (2026-03-30)

Bug Fixes

• Auth data exposed via verify password endpoint (GHSA-wp76-gg32-8258) (#10323) (770be86)
• Batch login sub-request rate limit uses IP-based keying (#10349) (63c37c4)
• Cloud Code trigger context vulnerable to prototype pollution (#10352) (d5f5128)
• Cloud function validator bypass via prototype chain traversal (GHSA-vpj2-qq7w-5qq6) (#10342) (dc59e27)
• Duplicate session destruction can cause unhandled promise rejection (#10319) (92791c1)
• GraphQL API endpoint ignores CORS origin restriction (GHSA-q3p6-g7c4-829c) (#10334) (4dd0d3d)
• GraphQL complexity validator exponential fragment traversal DoS (GHSA-mfj6-6p54-m98c) (#10344) (f759bda)
• LiveQuery protected field leak via shared mutable state across concurrent subscribers (GHSA-m983-v2ff-wq65) (#10330) (776c71c)
• LiveQuery protected-field guard bypass via array-like logical operator value (GHSA-mmg8-87c5-jrc2) (#10350) (f63fd1a)
• Maintenance key blocked from querying protected fields (#10290) (7c8b213)
• MFA single-use token bypass via concurrent authData login requests (GHSA-w73w-g5xw-rwhf) (#10326) (e7efbeb)
• Missing error messages in Parse errors (#10304) (f128048)
• Postgres query on non-existent column throws internal server error (#10308) (c5c4325)
• Session field immutability bypass via falsy-value guard (GHSA-f6j3-w9v3-cq22) (#10347) (9080296)

Features

• Add protectedFieldsSaveResponseExempt option to strip protected fields from save responses (#10289) (4f7cb53)
• Add protectedFieldsTriggerExempt option to exempt Cloud Code triggers from protectedFields (#10288) (1610f98)
• Add support for partialFilterExpression in MongoDB storage adapter (#10346) (8dd7bf2)
• Extend storage adapter interface to optionally return matchedCount and modifiedCount from DatabaseController.update with many: true (#10353) (aea7596)

9.7.0-alpha.18

9.7.0-alpha.18 (2026-03-30)

Features

• Extend storage adapter interface to optionally return matchedCount and modifiedCount from DatabaseController.update with many: true (#10353) (aea7596)

8.6.71

8.6.71 (2026-03-30)

Bug Fixes

• Streaming file download bypasses afterFind file trigger authorization (GHSA-hpm8-9qx6-jvwv) (#10362) (053109b)

9.7.0-alpha.17

9.7.0-alpha.17 (2026-03-29)

Bug Fixes

• Cloud Code trigger context vulnerable to prototype pollution (#10352) (d5f5128)